Re: Logging attempted passwords
From: Greg Wooledge (wooledg_at_eeg.ccf.org)
Date: 10/22/04
- Previous message: Philip Le Riche: "Re: Logging attempted passwords"
- In reply to: Derek Martin: "Re: Logging attempted passwords"
- Next in thread: Derek Martin: "Re: Logging attempted passwords"
- Reply: Derek Martin: "Re: Logging attempted passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Oct 2004 08:03:19 -0400 To: secureshell@securityfocus.com
On Fri, Oct 22, 2004 at 02:57:24PM +0900, Derek Martin wrote:
> David appears to be asking for the PASSWORD the user used on a failed
> attempt. I'm not 100% positive, but I believe OpenSSH does not
> provide a mechanism to get the password.
Logging failed passwords is a Very Bad Idea if you actually *use*
password authentication.
Suppose your password is 'Open*SSH-3.9' (without the quotes). But
that's pretty hard to type on some keyboards with hyperactive Shift
keys, so maybe you fail by accidentally typing 'OPen*SSH-3.9', and
that gets logged. Now, someone gets hold of your logs (by whatever
means). Do you think your password is "safe" any more?
- Previous message: Philip Le Riche: "Re: Logging attempted passwords"
- In reply to: Derek Martin: "Re: Logging attempted passwords"
- Next in thread: Derek Martin: "Re: Logging attempted passwords"
- Reply: Derek Martin: "Re: Logging attempted passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
